Description
An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.
Published: 2026-05-08
Score: 7.3 High
EPSS: 32.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when user input passed through the 'key' GET parameter to /admin/index.php is used directly in OS command execution without proper sanitization. This flaw allows an attacker who does not need authentication to inject and run arbitrary operating‑system commands with root privileges on the server. The weakness corresponds to a command injection flaw (CWE‑78) and could fully compromise system integrity, confidentiality and availability.

Affected Systems

Control Web Panel is affected. All installations prior to version 0.9.8.1209 are vulnerable. The attack requires the presence of Softaculous or SitePad, which must be installed for the flaw to be exploitable.

Risk and Exploitability

Because the flaw grants root‑level command execution, the potential impact is catastrophic. The CVSS score of 7.3 denotes a high severity. An EPSS score of 32% indicates a moderate probability of exploitation, but the attack vector is an unauthenticated HTTP request to the API endpoint. The vulnerability is not listed in the CISA KEV catalog, but its criticality warrants immediate attention.

Generated by OpenCVE AI on May 29, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Control Web Panel 0.9.8.1209 or later, which removes the unsanitized command execution path.
  • If an upgrade is not immediately possible, disable access to /admin/index.php or remove the 'api' and 'key' parameters from the URL path.
  • Remove Softaculous or SitePad from the system, or ensure they are not exposed to the public web interface, to eliminate the conditional component required for exploitation.

Generated by OpenCVE AI on May 29, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Title Command Injection in Control Web Panel via Unsanitized GET Parameter

Sat, 16 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Command Injection in Control Web Panel via Unsanitized GET Parameter

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Centos-webpanel
Centos-webpanel centos Web Panel
Vendors & Products Centos-webpanel
Centos-webpanel centos Web Panel

Sat, 09 May 2026 15:00:00 +0000

Type Values Removed Values Added
Title Root-Privileged Command Injection in Control Web Panel via Unsanitized API Parameter

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Root-Privileged Command Injection in Control Web Panel via Unsanitized API Parameter

Fri, 08 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection via 'key' API Parameter in Control Web Panel before v0.9.8.1209

Fri, 08 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 08:00:00 +0000

Type Values Removed Values Added
Title Unauthenticated OS Command Injection via 'key' API Parameter in Control Web Panel before v0.9.8.1209
Weaknesses CWE-78

Fri, 08 May 2026 07:30:00 +0000

Type Values Removed Values Added
References

Fri, 08 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.
References

Subscriptions

Centos-webpanel Centos Web Panel
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T14:13:43.786Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67888

cve-icon Vulnrichment

Updated: 2026-05-08T05:52:30.620Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T07:16:28.487

Modified: 2026-05-08T16:02:14.343

Link: CVE-2025-67888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T16:00:15Z

Weaknesses